Fail Safe Philosophy

General

Fail safe is defined as the capability of a system to go to a predetermined safe

state when it is in the de-energized status in the event of one or more failures.
.

1. Operating Logic

A “1” logic signal is considered to be normal and a ”0” logic signal is

the trip state.
Logic output signals are to fail to a “0” state on power failure or component
failure.

In the normal state, the output logic shall be energized and any input
becoming open circuit shall result in de-energized the associated output
circuit

2 Alarm Signal

The input for alarm shall move to open circuit position for an alarm or
abnormal condition.

2. Trip Signal

3 Safety Instrumented System (SIS)

In general, the SIS will be based on failsafe design (Normally

energized) design approach. Provisions for applications that require a
“normally de-energized” design shall be evaluated on a case by case basis.

Loss of both CPUs shall cause system outputs to freeze at their

last position or to drive to the pre-defined fail-safe conditions.

SIS system shall generally follow the principle of “de-energize to

trip” except for some specific devices such as manual call points push buttons
that shall be normally open (“energize to trip”) and line monitored. All
input/output that are not configured to be fail-safe shall be line monitored.

the volt free contacts digital output shall be closed (with relay coilenergized)
during normal operation and open during safety trip or fail-safe position.

Signal to field devices from analog and discrete output modules shall be
configurable to either hold last good value or change to a selectable value,
upon either failure of field device or controller module or loss of
communication between the output processor and the controller module.

In case it is not practical to provide a normally energized system, then

supervised input and output loops shall be provided to monitor short circuit
and open circuit condition.

All digital input shall be of a fail safe design. The output to solenoid valve and
pump shall be of a fail safe design

Digital INPUT STATUS SOV

PERMISSIVE
CONDITION ALARM TRIP
START (AUTO)

NORMAL CLOSED CLOSED OPEN ENERGIZED

ABNORMAL OPEN OPEN CLOSED DE-ENERGIZED

4. Control Valve

Control valve fail action shall be identified on a case by case basis but,
generally, reflux valves off-gas valves and product gas valves, cooling water
valve shall fail open, product valves, steam generator fuel supply valves, and
level control valves shall fail closed.
(TO BE DISCUSSED WITH PROCESS ENGINEER)

Emergency Shutdown or process shutdown valve is fail closed

The depressurizing / blowdown valve shall typically be designed to “fail open”.

However, the failure position of each valve shall be reviewed during the
design hazard review.

5. Transmitter

The system (SIS) shall be provided with internal software to accomplish the
transmitter line monitoring upon failure.

The monitoring system shall discriminate between Open-Circuit (OC) and

short circuit (SC) faults and true alarm conditions.
 0-3.999 mA 4.000 – 20.000 20.0001 –
mA 24.0000 mA
Normal Condition Open Circuit Operating range Short Circuit
LL Threshold Shutdown Shutdown @set Alarm
point or bellow
Operating @
upper setpoint
HH Threshold Alarm Shutdown @set Shutdown
point or upper
Operating @
bellow setpoint